Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal

Abstract

We show that it is possible to achieve perfect forward secrecy (PFS) in two-message or one-round key exchange (KE) protocols even in the presence of very strong active adversaries that can reveal random values of sessions and compromise long-term secret keys of parties. We provide two new game-based security models for KE protocols with increasing security guarantees, namely, eCK\(^{w}\) and eCK-PFS. The eCK\(^{w}\) model is a slightly stronger variant of the extended Canetti–Krawczyk (eCK) security model. The eCK-PFS model captures PFS in the presence of eCK\(^{w}\) adversaries. We propose a security-strengthening transformation (i. e., a compiler) from eCK\(^{w}\) to eCK-PFS that can be applied to protocols that only achieve security in a weaker model than eCK\(^{w}\), which we call eCK\(^{\text {passive}}\). We show that, given a two-message Diffie–Hellman type protocol secure in eCK\(^{\text {passive}}\), our transformation yields a two-message protocol that is secure in eCK-PFS. We demonstrate how our transformation can be applied to concrete KE protocols. In particular, our methodology allows us to prove the security of the first known one-round protocol that achieves PFS under actor compromise and ephemeral-key reveal.

Appendix

1.1 1. On the eCK model [28]

There are two main aspects in which the eCK model is underspecified.

First, the eCK model specifies that in the setup phase of the security experiment, the adversary may register arbitrary public keys [28, p. 8]. This can be interpreted in at least two ways: (a) the adversary may register arbitrary valid public keys (e. g., elements of a given group \(G\)), or (b) the adversary may register arbitrary bit strings (e. g., elements that do not belong to a given group \(G\)). As the security proof of NAXOS in the eCK model [28, pp. 12-16] is incomplete, it is unclear whether the result of LaMacchia et al. [28, Theorem 1] holds under the second interpretation. In addition, LaMacchia et al. [28, Fig. 1] state that the HMQV protocol achieves CK-security under arbitrary key registration, (the same key registration as in the eCK model). This statement is only correct under interpretation (a), because HMQV is vulnerable to small-subgroup attacks as described in [33, p. 53], a reference cited in [28]. We therefore assume the literal interpretation (a), i. e., the adversary may register arbitrary valid public keys from the key space. This is also in line with the descriptions in [18, 24, 37].

Second, the eCK model puts no explicit restrictions on the \(\mathsf{corrupt } \) query. For honest parties the intent of the query is clear. However, it is unclear in [28] whether the query is allowed on adversary-controlled parties on behalf of those the adversary registered a public key. Consider the following two cases for adversary-controlled parties. On the one hand, if the adversary already knows the secret key corresponding to the valid public key he registered, then the \(\mathsf{corrupt } \) query is redundant. On the other hand, if the adversary were allowed to perform this query when he does not know the secret key of the corresponding valid public key, then no protocol would be secure in the eCK model: the adversary would be able to obtain the secret key of any honest party by simply re-registering the public key for an adversary-controlled party, and then corrupting the latter party. In particular, this gives the adversary access to the secret keys of honest parties without performing a \(\mathsf{corrupt } \) on these honest parties, which can then be combined with an ephemeral-key query to compute the session key of the test session. The previous observations lead us to the conclusion that the query \(\mathsf{corrupt } ({\hat{P}})\) should be defined in such a way that it returns the secret keys of party \({\hat{P}}\) if \({\hat{P}}\) is honest, and \(\bot \) otherwise.

We show in Proposition 8 that our eCK\(^{w}\) model is stronger than the eCK model with respect to \(\varPi \).

Proposition 8

Let \(\varPi \) be the class of two-message KE protocols. The eCK\(^{w}\) model is stronger than the eCK model with respect to \(\varPi \).

Proof

The first condition of Definition 6 is satisfied since matching is defined in the same way for both models eCK\(^{w}\) and eCK. Let \(\pi \in \varPi \). To show that the second condition of Definition 6 holds, we construct an adversary \(E^{\prime }\) attacking protocol \(\pi \) in model eCK\(^{w}\) using an adversary \(E\) attacking \(\pi \) in eCK. In the setup phase of the eCK experiment, the adversary selects \(N\) distinct binary strings \({\hat{P_{1}}},{\hat{P_{2}}},\ldots ,{\hat{P}_{N}}\) for \(N\) honest parties. Define \(\mathcal{P }=\{{\hat{P_{1}}},{\hat{P_{2}}},\ldots ,{\hat{P}_{N}}\}\) for the eCK\(^{w}\) experiment. During the registration phase at the onset of the experiment, in case \(E\) registers valid public keys on behalf of adversary-controlled parties \({\hat{L}}\notin \mathcal{P }\), \(E^{\prime }\) proceeds with the same registration of keys. Whenever \(E\) issues a query send, corrupt, ephemeral-key, session-key or test-session, adversary \(E^{\prime }\) issues the same query and forwards the answer received to \(E\). At the end of \(E\)’s execution, i. e. after it has output its guess bit \(b\), \(E^{\prime }\) outputs \(b\) as well. Note that if \({\text {eCK}}_{\text {fresh}}\) holds for the test session, then by definition \({\text {eCK}^{\mathrm{w}}}_{\mathrm{fresh}}\) also holds. In particular, if there is no matching session, then the last condition in the freshness definition of the eCK model [28, p. 9] requires that there is no corrupt of the peer, which implies the sixth condition of \({\text {eCK}^{\mathrm{w}}}_{\mathrm{fresh}}\). Hence, it holds that \(Adv_{E}^{\pi }(k)\le Adv_{E^{\prime }}^{\pi }(k)\), where \(k\) denotes the security parameter. Since by assumption protocol \(\pi \) is secure in eCK\(^{w}\), there is a negligible function \(g\) such that \(Adv_{E^{\prime }}^{\pi }(k)\le g(k)\). It follows that protocol \(\pi \) is secure in eCK. \(\square \)

1.2 2. Proof of Proposition 6

Proposition 6 Under the GAP-CDH assumption in the cyclic group \(G\) of prime order \(p\), the NAXOS protocol is satisfies eCK\(^{w}\) security, when \(H_{1},H_{2}\) are modeled as independent random oracles.

Proof

Here we show that NAXOS is secure in eCK\(^{w}\). We use the structure of the security proof of the CMQV protocol in [37] as it is more detailed than the proof of NAXOS in [28].

Let the test session \(s^{*}\) be given by \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X,Y)\). We first consider event \(K^{c}\) where the adversary \(M\) wins the security experiment against NAXOS (with non-negligible advantage) and does not query \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{A}},{\hat{B}})\), where \(\sigma _{1}=\text {CDH}(Y,A),\sigma _{2}=\text {CDH}(B,X)\) and \(\sigma _{3}=\text {CDH}(X,Y)\).

Event \(K^{c}\)

If event \(K^{c}\) occurs, then the adversary \(M\) must have issued a session-key query to some session \(s\) such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session-keys computed in sessions \(s\) and \(s^{*}\), respectively) and \(s\) does not match \(s^{*}\). We consider the following four events:

1. 1.

   \(A_{1}:\) there exist two sessions \(s_{1},s_{2}\) such that \(r_{s_{1}}=r_{s_{2}}\) (where \(r_{s_{1}}\) and \(r_{s_{2}}\) denote the random coins drawn in sessions \(s_{1}\) and \(s_{2}\), respectively).

2. 2.

   \(A_{2}:\) there exists a session \(s\) such that \(H_{1}(r_{s},sk_{{ actor},s})=H_{1}(r_{s^{*}},sk_{{ actor},s^{*}})\) and \(r_{s}\ne r_{s^{*}}\).

3. 3.

   \(A_{3}:\) there exists a session \(s^{\prime }\) such that \(H_{2}(\mathrm input _{s^{\prime }})=H_{2}(\mathrm input _{s^{*}})\) with \(\mathrm input _{s^{\prime }}\ne \mathrm input _{s^{*}}\).

4. 4.

   \(A_{4}:\) there exists an adversarial query \(\mathrm input _{M}\) to the oracle \(H_{2}\) such that \(H_{2}(\mathrm input _{M})=H_{2}(\mathrm input _{s^{*}})\) with \(\mathrm input _{M}\ne \mathrm input _{s^{*}}\).

Analysis of event \(K^{c}\)

We denote by \(q_{s}\) an upper bound on the number of activated sessions by the adversary and by \(q_\mathrm{ro 2}\) an upper bound on the number of queries to the random oracle \(H_{2}\). We have that

$$\begin{aligned} P(K^{c})&\le P(A_{1} \vee A_{2} \vee A_{3} \vee A_{4}) \le P(A_{1})+ P(A_{2}) + P(A_{3}) +P(A_{4})\\&\le \frac{q^{2}_{s}}{2}\frac{1}{2^{k}} + \frac{q_{s}}{p} + \frac{q_{s}+q_\mathrm{ro 2}}{2^{k}}, \end{aligned}$$

which is a negligible function of the security parameter \(k\).

In the subsequent events (and their analyses) we assume that no collisions in the queries to the oracle \(H_{1}\) occur and that none of the events \(A_{1},\ldots ,A_{4}\) occurs. Similar to [28, 37], we next consider the following three events:

1. 1.

   \(DL \wedge K\),

2. 2.

   \(T_{O}\wedge DL^{c} \wedge K\), and

3. 3.

   \((T_{O})^{c} \wedge DL^{c} \wedge K\), where

\(T_{O}\) denotes the event that there exists an origin-session for the test session, \(DL\) denotes the event where there exists a party \({\hat{C}}\in \mathcal{P }\) such that the adversary \(M\), during its execution, queries \(H_{1}\) with \((*,{c})\) before issuing a \(\mathsf{corrupt } ({\hat{C}})\) query and \(K\) denotes the event that \(M\) wins the security experiment against NAXOS by querying \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{A}},{\hat{B}})\), where \(\sigma _{1}=\text {CDH}(Y,A),\sigma _{2}=\text {CDH}(B,X)\) and \(\sigma _{3}=\text {CDH}(X,Y)\).

Note that we analyze the security of the NAXOS protocol in case the messages only contain the Diffie–Hellman exponentials.

Event \(DL\wedge K\)

This event is independent of the event that there exists an origin-session for the test session.

Let the input to the \({\mathrm{GAP\text {-}DLog}} \) challenge be \(C\). Suppose that event \(DL\wedge K\) occurs with non-negligible probability. In this case, the simulator \(S\) chooses one party \({\hat{C}}\in \mathcal{P }\) at random and sets its long-term public key to \(C\). \(S\) chooses long-term secret/public key pairs for the remaining honest parties and stores the associated long-term secret keys. Additionally \(S\) chooses a random value \(m\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the \(m\)’th activated session by adversary \(M\) by \(s^{*}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:

1. 1.

   send queries are answered in the usual way. In case a session \(s\) is activated via a send query, \(S\) stores an entry of the form \(\left( s,r_{s},sk_{s_{{ actor}}},\kappa \right) \in (\mathcal{P }\times \mathbb N )\times \left\{ 0,1\right\} ^{k}\times (\mathbb Z _{p}\cup \left\{ *\right\} )\times \mathbb Z _{p}\) in a table \(Q\), initially empty, (unless ephemeral public key validation on the received element fails in which case the session is aborted). When computing the (outgoing) Diffie–Hellman exponential of session \(s\), \(S\) does the following:

   • \(S\) chooses \(r_{s}\in _{R} \left\{ 0,1\right\} ^{k}\) (i. e. the randomness of session \(s\)),

   • \(S\) chooses \(\kappa \in _{R}\mathbb Z _{p}\),

   • if \(s_{ actor}\ne {\hat{C}}\), then \(S\) stores the entry \(\left( s,r_{s},sk_{s_{ actor}},\kappa \right) \) in \(Q\), else \(S\) stores the entry \(\left( s,r_{s},*,\kappa \right) \) in \(Q\),² and

   • \(S\) returns the Diffie–Hellman exponential \(g^{\kappa }\) to \(M\).

2. 2.

   \(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*} \times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G \times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) does the following:

   • If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(S\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and

     • \(V^{sk_{{\hat{Q}_{i}}}}=\sigma _{1}\) (in case \({\hat{Q}_{i}}\ne {\hat{C}}\)) or \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) (in case \({\hat{Q}_{i}}={\hat{C}}\)),

     then \(S\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).

   • Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).

   The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.

3. 3.

   \(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.

4. 4.

   \(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).

5. 5.

   \(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.

6. 6.

   \(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way, except if \({\hat{P}}={\hat{C}}\) in which case \(S\) aborts with failure.

7. 7.

   \(S\) stores entries of the form \(\left( r,h,\kappa \right) \in \left\{ 0,1\right\} ^{k}\times \mathbb Z _{p}\times \mathbb Z _{p}\) in a table \(J\), initially empty. When \(M\) makes a query of the form \(\left( r,h\right) \) to the random oracle for \(H_{1}\), answer it as follows:

   • If \(C=g^{h}\), then \(S\) aborts \(M\) and is successful by outputting \({ DLog}(C)=h\).

   • Else if \(\left( r,h,\kappa \right) \in J\) for some \(\kappa \in \mathbb Z _{p}\), then \(S\) returns \(\kappa \) to \(M\).

   • Else if there exists an entry \(\left( s,r_{s},sk_{s_{ actor}},\kappa \right) \) in \(Q\), for some \(s\in \mathcal{P }\times \mathbb N ,r_{s}\in \left\{ 0,1\right\} ^{k},sk_{s_{ actor}}\in \mathbb Z _{p}\) and \(\kappa \in \mathbb Z _{p}\), such that \(r_{s}=r\) and \(sk_{s_{ actor}}=h\), then \(S\) returns \(\kappa \) to \(M\) and stores the entry \(\left( r,h,\kappa \right) \) in table \(J\).

   • Else, \(S\) chooses \(\kappa \in _{R} \mathbb Z _{p}\), returns it to \(M\) and stores the entry \(\left( r,h,\kappa \right) \) in \(J\).

8. 8.

   \(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G\times \{0,1\}^{*}\times \{0,1\}^{*} \times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).

   • Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) and \(\text {DDH}(U,Q_{j},\sigma _{2})=1\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).

   • Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\Big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \Big )\) in \(L\).

9. 9.

   \(M\) outputs a guess: \(S\) aborts with failure.

Analysis of event \(DL\wedge K\)

\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session is at least \(\frac{1}{q_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 5. With probability at least \(\frac{1}{N}\), \(S\) assigns the public key \(C\) to a party \({\hat{C}}\) for whom \(M\) queries \(H_{1}\) with \((*,h)\) such that \(C=g^{h}\) before issuing a \(\mathsf{corrupt } ({\hat{C}})\) query. In this case, \(S\) is successful as described in Step 7 and does not abort in Steps 6 and 9. Hence, if event \(DL\wedge K\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{Nq_{s}} P(DL\wedge K)\).

Event \(T_{O}\wedge DL^{c}\wedge K\)

Let \(s^{*}\) and \(s^{\prime }\) denote the test session and the origin-session for the test session, respectively. We split event \({\mathrm{Ev}}:=T_{O}\wedge DL^{c}\wedge K\) into the following events \(B_{1},\ldots ,B_{3}\) so that \({\mathrm{Ev}} =B_{1}\vee B_{2}\vee B_{3}\):

1. 1.

   \(B_{1}:\) Ev occurs and \(s^{*}_{ peer}=s^{\prime }_{ actor}\).

2. 2.

   \(B_{2}:\) Ev occurs and \(s^{*}_{ peer}\ne s^{\prime }_{ actor}\) and \(M\) does not issue an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query to the origin-session \(s^{\prime }\) of \(s^{*}\), but may issue a \(\mathsf{corrupt } (s^{*}_{ peer})\) query.

3. 3.

   \(B_{3}:\) Ev occurs and \(s^{*}_{ peer}\ne s^{\prime }_{ actor}\) and \(M\) does not issue a \(\mathsf{corrupt } (s^{*}_{ peer})\) query, but may issue an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query to the origin-session \(s^{\prime }\) of \(s^{*}\).

Event \(B_{1}\)

Let the input to the \(GDH\) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{1}\) occurs with non-negligible probability. In this case \(S\) chooses long-term secret/public key pairs for all the honest parties and stores the associated long-term secret keys. Additionally \(S\) chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). The \(m\)’th activated session by adversary \(M\) will be called \(s^{*}\) and the \(n\)’th activated session will be called \(s^{\prime }\). The ephemeral secret key of session \(s^{*}\) is denoted by \(\tilde{x}_{0}\) and the ephemeral secret key of session \(s^{\prime }\) is denoted by \(\tilde{y}_{0}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:

1. 1.

   \(\mathsf{send } (s^{*},{\hat{B}})\): \(S\) sets the ephemeral public key \(X\) to \(X_{0}\) and answers the query with message \(X_{0}\).

2. 2.

   \(\mathsf{send } (s^{*},Y_{0})\): \(S\) proceeds with Step 7.

3. 3.

   \(\mathsf{send } (s^{\prime },{\hat{P}})\): \(S\) sets the ephemeral public key \(Y\) to \(Y_{0}\) and answers the query with message \(Y_{0}\).

4. 4.

   \(\mathsf{send } (s^{\prime },{\hat{P}},Z)\): \(S\) checks whether \(Z\in G\), sets the ephemeral public key \(Y\) to \(Y_{0}\), answers the query with message \(Y_{0}\) and proceeds with Step 7. If the check fails, session \(s^{\prime }\) is aborted.

5. 5.

   \(\mathsf{send } (s^{\prime },Z)\): \(S\) proceeds with Step 7.

6. 6.

   Other send queries are answered in the usual way.³

7. 7.

   \(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G \times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) does the following:

   • If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(S\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(V^{sk_{{\hat{Q}_{i}}}}=\sigma _{1}\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and \(\text {DDH}(V,U,\sigma _{3})=1\), then \(S\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).

   • Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).

   The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.

8. 8.

   \(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.

9. 9.

   \(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).

10. 10.

    \(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.

11. 11.

    \(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\) or if \({\hat{C}}={\hat{B}}\) (i.e. \({c}={b}\)) and \(r_{\!{\hat{C}}}=\tilde{y}_{0}\), in which case \(S\) aborts with failure.

12. 12.

    \(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way.

13. 13.

    \(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G \times \{0,1\}^{*}\times \{0,1\}^{*} \times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

    • If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\sigma _{1}=Y_{0}^{a}\), \(\sigma _{2}=X_{0}^{b}\) and \(\text {DDH}(X_{0},Y_{0},\sigma _{3})=1\), then \(S\) aborts \(M\) and is successful by outputting \(\text {CDH}(X_{0},Y_{0})=\sigma _{3}\).

    • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).

    • Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,Q_{i},\sigma _{1})=1\), \(\text {DDH}(U,Q_{j},\sigma _{2})=1\) and \(\text {DDH}(V,U,\sigma _{3})=1\) in table \(T\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3}, {\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).

    • Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \big )\) in \(L\).

14. 14.

    \(M\) outputs a guess: \(S\) aborts with failure.

Analysis of event \(B_{1}\)

\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is at least \(\frac{1}{q^{2}_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 10. Recall that \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y_{0})\). Since \(\tilde{x}_{0}\) is used only in the test session, \(M\) can only obtain it via an \(\mathsf{ephemeral\text{- }key } (s^{*})\) query before making an \(H_{1}\) query that includes \(\tilde{x}_{0}\). Similarly, \(M\) can only obtain \(\tilde{y}_{0}\) via an \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) query on the origin-session \(s^{\prime }\) before making an \(H_{1}\) query that includes \(\tilde{y}_{0}\). Under event \(DL^{c}\), the adversary first issues a \(\mathsf{corrupt } ({\hat{P}})\) query to party \({\hat{P}}\) before making an \(H_{1}\) query that involves the long-term secret key of party \({\hat{P}}\). Freshness of the test session guarantees that the adversary can reveal at most one value in each of the pairs \((\tilde{x}_{0},a)\) and \((\tilde{y}_{0},b)\); hence \(S\) does not abort in Step 11. Under event \(K\), except with negligible probability of guessing \(\text {CDH}(X_{0},Y_{0})\), \(S\) is successful as described in the first case of Step 13 and does not abort as in Step 14. Hence, if event \(B_{1}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{q^{2}_{s}} P(B_{1})\).

Event \(B_{2}\)

Let the input to the \(GDH\) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{2}\) occurs with non-negligible probability. The simulation of \(S\) proceeds in a similar way as for event \(B_{1}\). Steps 8 and 11 need to be replaced by the following:

• \(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way, except if \(s=s^{\prime }\) in which case \(S\) aborts with failure.

• \(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\), in which case \(S\) aborts with failure.

Analysis of event \(B_{2}\)

\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is \(\frac{1}{q^{2}_{s}}\). Recall that \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y_{0})\). Since \(\tilde{x}_{0}\) is used only in the test session, \(M\) can only obtain it via an \(\mathsf{ephemeral\text{- }key } (s^{*})\) query before making an \(H_{1}\) query that includes \(\tilde{x}_{0}\). Under event \(DL^{c}\), the adversary first issues a \(\mathsf{corrupt } ({\hat{P}})\) query to party \({\hat{P}}\) before making an \(H_{1}\) query that involves the long-term secret key of party \({\hat{P}}\). Freshness of the test session guarantees that the adversary can reveal at most one value of the pair \((\tilde{x}_{0},a)\). Under event \(B_{2}\) the simulation does not fail as in Step 8. Under event \(K\), except with negligible probability of guessing \(\text {CDH}(X_{0},Y_{0})\), \(S\) is successful as described in the first case of Step 13 and does not abort as in Step 14. Hence, if event \(B_{2}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{q^{2}_{s}} P(B_{2})\).

Event \(B_{3}\)

Let the input to the \(GDH\) challenge be \((X_{0},B)\). Suppose that event \(B_{3}\) occurs with non-negligible probability. In this case, \(S\) chooses one party \({\hat{B}}\in \mathcal{P }\) at random and sets its long-term public key to \(B\). \(S\) chooses long-term secret/public key pairs for the remaining parties in \(\mathcal{P }\) and stores the associated long-term secret keys. Additionally \(S\) chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the \(m\)’th activated session by adversary \(M\) by \(s^{*}\) and the \(n\)’th activated session by \(s^{\prime }\). The ephemeral secret key of session \(s^{*}\) is denoted by \(\tilde{x}_{0}\). Suppose further that \(s^{*}_{ actor}={\hat{A}}, s^{*}_{ peer}={\hat{B}}\) and \(s^{*}_{ role}=\mathcal I \), w. l. o. g.. The simulation of \(M^{\prime }\)s environment proceeds as follows:

1. 1.

   \(\mathsf{send } (s^{*},{\hat{B}})\): \(S\) sets the ephemeral public key \(X\) to \(X_{0}\) and answers the query with message \(X_{0}\).

2. 2.

   \(\mathsf{send } (s^{*}, Z)\): \(S\) proceeds with Step 4.

3. 3.

   Other send queries are answered as for event \(DL\wedge K\).

4. 4.

   \(S\) stores entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*} \times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(S\) proceeds as for event \(DL\wedge K\) (see above).

5. 5.

   \(\mathsf{ephemeral\text{- }key } (s)\): \(S\) answers this query in the appropriate way.

6. 6.

   \(\mathsf{session\text{- }key } (s)\): \(S\) answers this query by look-up in table \(T\).

7. 7.

   \(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(S\) aborts; otherwise \(S\) answers the query in the appropriate way.

8. 8.

   \(H_{1}(r_{\!{\hat{C}}},{c})\): \(S\) simulates a random oracle in the usual way except if \({\hat{C}}={\hat{A}}\) (i.e. \({c}={a}\)) and \(r_{\!{\hat{C}}}=\tilde{x}_{0}\), in which case \(S\) aborts with failure.

9. 9.

   \(\mathsf{corrupt } ({\hat{P}})\): \(S\) answers this query in the appropriate way, except if \({\hat{P}}={\hat{B}}\) in which case \(S\) aborts with failure.

10. 10.

    \(S\) stores entries of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in G\times G\times G \times \mathcal{P }\times \mathcal{P }\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(M\) makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

    • If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\sigma _{1}=A^{H_{1}(r_{s^{\prime }},sk_{s^{\prime }_{ actor}})}\), \(\text {DDH}(X_{0},B,\sigma _{2})=1\), and \(\sigma _{3}=X_{0}^{H_{1}(r_{s^{\prime }},sk_{s^{\prime }_{ actor}})}\), then \(S\) aborts \(M\) and is successful by outputting \(\text {CDH}(X_{0},B)=\sigma _{2}\).

    • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(S\) returns \(\lambda \) to \(M\).

    • Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,Q_{i},\sigma _{1})=1\) and \(\text {DDH}(U,Q_{j},\sigma _{2})=1\), then \(S\) returns \(\lambda \) to \(M\) and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\lambda \right) \) in table \(L\).

    • Else, \(S\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(M\) and stores the entry \(\big (\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}},\mu \big )\) in \(L\).

11. 11.

    \(M\) outputs a guess: \(S\) aborts with failure.

Analysis of event \(B_{3}\)

\(S\)’s simulation of \(M\)’s environment is perfect except with negligible probability. The probability that \(M\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as its origin-session is at least \(\frac{1}{q^{2}_{s}}\). Assuming that this is indeed the case, \(S\) does not abort in Step 7. With probability \(\frac{1}{N}\), \(S\) assigns the public key \(B\) to the peer of the test session \({\hat{B}}\). Under event \(B_{3}\), \(M\) does not issue a \(\mathsf{corrupt } ({\hat{B}})\) query, and so \(S\) does not abort in Step 9. Similarly, \(S\) does not abort in Step 11 and is successful as described in Step 10. Hence, if event \(B_{3}\) occurs, then the success probability of \(S\) is given by \(P(S)\ge \frac{1}{Nq^{2}_{s}} P(B_{3})\).

Event \((T_{O})^{c}\wedge DL^{c}\wedge K\)

If there is no origin-session for the test session, then there is also no matching session for the test session. Hence \(((T_{O})^{c}\wedge DL^{c}\wedge K)\subseteq ((T_{M})^{c}\wedge DL^{c} \wedge K)\) (where \(T_{M}\) denotes the event that there exists a matching session for the test session) which implies that event \((T_{O})^{c}\wedge DL^{c}\wedge K\) is covered in the analysis of event \((T_{M})^{c}\wedge DL^{c}\wedge K\) for which we refer the reader to [27, 28]. Note that, similar to the simulation related to Event \(B_{3}\),

• \(S\) checks whether there is a query \((\sigma _{1},\sigma _{2},\sigma _{3},{\hat{Q}_{i}},{\hat{Q}_{j}})\) by \(M\) to \(H_{2}\) such that \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(\text {DDH}(A,Y,\sigma _{1})=1, \text {DDH}(X_{0},B,\sigma _{2})=1\) and \(\text {DDH}(X_{0},Y,\sigma _{3})=1\) (assuming that the test session \(s^{*}\) is given by \(T_{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X_{0},Y)\) to solve the \(GDH\) instance \((X_{0},B)\), and

• \(S\) keeps consistency between session-key and \(H_{2}\) queries as well as between send and \(H_{1}\) queries. \(\square \)

1.3 3. Proof of Proposition 7

Proposition 7 Under the GAP-CDH assumption in the cyclic group \(G\) of prime order \(p\), the protocol \(\pi _{1}\)-\({core}\) satisfies eCK\(^{\text {passive}}\) security, when \({ KDF}\) is modeled as a random oracle.

Proof

Let the test session \(s^{*}\) be given by \({T} _{s^{*}}=({\hat{A}},{\hat{B}},\mathcal I ,X,Y)\). We first consider event \(K^{c}\) where the adversary \(M\) wins the security experiment against \(\pi _{1}\text {-core}\) (with non-negligible advantage) and does not query \({ KDF}\) with \(({\hat{A}},{\hat{B}},\sigma ,X)\), where \(\sigma =\text {CDH}(YB,XA)\).

Event \(K^{c}\)

If event \(K^{c}\) occurs, then the adversary \(M\) must have issued a session-key query to some session \(s\) such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session-keys computed in sessions \(s\) and \(s^{*}\), respectively) and \(s\) does not match \(s^{*}\). We consider the following three events:

1. 1.

   \(A_{1}:\) there exist two sessions \(s_{1},s_{2}\) such that \(r_{s_{1}}=r_{s_{2}}\) (where \(r_{s_{1}}\) and \(r_{s_{2}}\) denote the random coins drawn in sessions \(s_{1}\) and \(s_{2}\), respectively). Note that \(A_{1}\) includes the event where there exists a session \(s\) with \({T} _{s}={T} _{s^{*}}\) as well as the event where two sessions use the same random coins (possibly leading to ephemeral-key queries).

2. 2.

   \(A_{2}:\) there exists a session \(s\) such that \({ KDF}(\mathrm input _{s})={ KDF}(\mathrm input _{s^{*}})\) with \(\mathrm input _{s}\ne \mathrm input _{s^{*}}\).

3. 3.

   \(A_{3}:\) there exists an adversarial query \(\mathrm input _{M}\) to the oracle \({ KDF}\) such that \({ KDF}(\mathrm input _{M})={ KDF}(\mathrm input _{s^{*}})\) with \(\mathrm input _{M}\ne \mathrm input _{s^{*}}\).

Analysis of event \(K^{c}\)

We denote by \(q_{s}\) an upper bound on the number of activated sessions by the adversary and by \(q_\mathrm{ro }\) an upper bound on the number of queries to the random oracle \({ KDF}\). We have that

$$\begin{aligned} P(K^{c})&\le P(A_{1} \vee A_{2} \vee A_{3}) \le P(A_{1})+ P(A_{2}) + P(A_{3})\\&\le \frac{q^{2}_{s}}{2p} + \frac{q_{s}+q_\mathrm{ro }}{2^{k}}, \end{aligned}$$

which is a negligible function of the security parameter \(k\).

In the subsequent events (and their analyses) we assume that none of the events \(A_{1},\ldots ,A_{3}\) occurs. We consider the following event:

$$\begin{aligned} T_{O} \wedge K,\ \text {where} \end{aligned}$$

\(T_{O}\) denotes the event that there exists an origin-session for the test session, and \(K\) denotes the event that \(M\) wins the security experiment against \(\pi _{1}\text {-core}\) by querying \({ KDF}\) with \(({\hat{A}},{\hat{B}},\sigma ,X)\), where \(\sigma =\text {CDH}(YB,XA)\). Recall that in case there is no origin-session for the test session, the test session is not \({\text {eCK}^{\mathrm{passive}}}_{\mathrm{fresh}}\).

Event \(T_{O}\wedge K\)

Let \(s^{*}\) and \(s^{\prime }\) denote the test session and the origin-session for the test session, respectively. We split event \({\mathrm{Ev}}:=T_{O}\wedge K\) into the following events \(B_{1},\ldots ,B_{4}\) so that \({\mathrm{Ev}} =B_{1}\vee B_{2}\vee B_{3}\vee B_{4}\):

1. 1.

   \(B_{1}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) nor \(\mathsf{ephemeral\text{- }key } (s^{*})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ actor})\) and \(\mathsf{corrupt } (s^{*}_{ peer})\).

2. 2.

   \(B_{2}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{*})\) nor \(\mathsf{corrupt } (s^{*}_{ peer})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ actor})\) and \(\mathsf{ephemeral\text{- }key } (s^{\prime })\).

3. 3.

   \(B_{3}:\) Ev occurs and the adversary does issue neither \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) nor \(\mathsf{corrupt } (s^{*}_{ actor})\), but may issue the queries \(\mathsf{corrupt } (s^{*}_{ peer})\) and \(\mathsf{ephemeral\text{- }key } (s^{*})\).

4. 4.

   \(B_{4}:\) Ev occurs and the adversary does issue neither \(\mathsf{corrupt } (s^{*}_{ actor})\) nor \(\mathsf{corrupt } (s^{*}_{ peer})\), but may issue the queries \(\mathsf{ephemeral\text{- }key } (s^{\prime })\) and \(\mathsf{ephemeral\text{- }key } (s^{*})\).

Event \(B_{1}\)

We denote by \(X,Y\) the ephemeral public keys sent, received during the test session \(s^{*}\). Revealing the long-term secret keys of both \(s^{*}_{ actor}\) and \(s^{*}_{ peer}\), the adversary \(E\) could distinguish the session-key of the test session from a random key by computing \(\text {CDH}(X,Y)=g^{xy}\) (where \(X=g^{x}\) and \(Y=g^{y}\)) since

$$\begin{aligned} g^{xy}=(YB)^{x+a}Y^{-a}X^{-b}B^{-a}. \end{aligned}$$

We solve the GAP-CDH problem with probability \(\frac{1}{(q_{s})^{2}}P(Q)\) where \(P(Q)\) must be negligible since the GAP-CDH problem is hard in \(G\).

Consider the following algorithm \(C\) which uses adversary \(E\) as a subroutine.

ALGORITHM \(C\): The algorithm is given a pair \((X,Y)\) of elements from \(G\) as an instance of the GAP-CDH problem. The algorithm randomly selects a session number \(n\) from \(\left\{ 1,\ldots ,q_{s}\right\} \) which reflects the guess that the \(n\)-th activated session, say session \(s^{\prime }\), is the origin-session for session \(s^{*}\). \(C\) chooses long-term public keys for all parties and stores the associated secret keys.

1. 1.

   Run \(E\) on input \(1^{k}\) and the public keys for all of the \(N\) parties.

2. 2.

   \(\mathsf{send } (s^{*},{\hat{B}})\): \(C\) sets the ephemeral public key to \(X\) and answers the query with the message \(X\).

3. 3.

   \(\mathsf{send } (s^{\prime },{\hat{P}})\) or \(\mathsf{send } (s^{\prime },{\hat{P}},Z)\): \(C\) sets the ephemeral public key to \(Y\) and answers the query with the message \(Y\).

4. 4.

   Other \(\mathsf{send } \) queries are answered in the usual way (note that, if the group check fails, the session is aborted).

5. 5.

   \(\mathsf{ephemeral\text{- }key } (s)\): \(C\) answers in the appropriate way, except if \(s=s^{\prime }\) or \(s=s^{*}\) in which cases \(C\) aborts with failure.

6. 6.

   \(\mathsf{corrupt } ({\hat{P}})\): \(C\) answers in the appropriate way.

7. 7.

   \(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\) or if \(s^{\prime }\) is not the origin-session for session \(s^{*}\), then \(C\) aborts; otherwise \(C\) answers the query in the appropriate way.

8. 8.

   Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in \{0,1\}^{*}\times \{0,1\}^{*}\times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(E\) makes a query of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U\right) \) to the random oracle for \({ KDF}\), answer it as follows:

   • If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(U=X\) and \(\text {DDH}(XA,YB,Z)=1\), then \(C\) aborts \(E\) and is successful by outputting \(\text {CDH}(X,Y)=ZY^{-a}X^{-b}B^{-a}\).

   • Else if \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then \(C\) returns \(\lambda \) to \(E\).

   • Else if there exist entries \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) or \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(V\in G\), such that \(\text {DDH}(VP_{j},UP_{i},Z)=1\) in table \(T\), then \(C\) returns \(\lambda \) to \(E\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \) in table \(L\).

   • Else, \(C\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to \(E\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\mu \right) \) in \(L\).

9. 9.

   Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty. Upon completion of session \(s\) with \(T_{s}=\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V\right) \), \(C\) proceeds as follows:

   • If there exists an entry \(\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U,\lambda \right) \) in table \(T\), then \(C\) stores \(\big ({\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \big )\) in table \(T\).

   • Else if there exists an entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \) in table \(L\), for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(UP_{i},VP_{j},Z)=1\), then \(C\) stores \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\lambda \right) \) in table \(T\).

   • Else, \(C\) chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},\mathcal I ,U,V,\mu \right) \) in \(T\).

   The session-key of a completed session \(s\) with \(T_{s}=\left( {\hat{Q}_{j}},{\hat{Q}_{i}},\mathcal R ,V,U\right) \) is determined and stored similarly.

10. 10.

    \(\mathsf{session\text{- }key } (s)\): \(C\) answers this query by look-up in table \(T\).

11. 11.

    \(E\) outputs a guess: \(C\) aborts with failure.

Analysis of event \(B_{1}\)

The probability that \(E\) selects \(s^{*}\) as the test session and \(s^{\prime }\) as the origin-session for the test session is at least \(\frac{1}{(q_{s})^{2}}\). Assume that this is indeed the case. Then \(C\) does not abort as in Step 7. Under event \(B_{1}\) the simulation does not fail as in Step 5. Under event \(Q\), \(C\) is successful as described in the first case of Step 8 and does not abort as in Step 11. \(C\) correctly computes the GAP-CDH instance with probability at least \(\frac{1}{(q_{s})^{2}}P(Q)\) which implies that \(P(Q)\le (q_{s})^{2} Adv_{C}^{\text {GAP-CDH}}(k)\).

Event \(B_{2}\)

We denote by \(X=g^{x},Y=g^{y}\) the ephemeral public keys sent, received during the test session \(s^{*}\). Revealing the long-term secret key of the actor \({\hat{A}}\) of the test session and the ephemeral key of the origin-session \(s^{\prime }\) for session \(s^{*}\), the adversary \(E\) could distinguish the session-key of the test session from a random key by computing \(DH_{g}(X,B)=g^{xb}\) where \(B=g^{b}\) denotes the public key of \(s^{*}_{ peer}={\hat{B}}\), since

$$\begin{aligned} g^{xb}=(YB)^{x+a}X^{-y}Y^{-a}B^{-a}. \end{aligned}$$

We solve the GAP-CDH problem with probability \(\frac{1}{q_{s}N}P(Q)\) where \(P(Q)\) must be negligible since GAP-CDH problem is hard in \(G\).

Consider the following algorithm \(C^{\prime }\) which uses adversary \(E\) as a subroutine.

ALGORITHM \(C^{\prime }\): The algorithm is given a pair \((X,B)\) of elements from \(G\) as an instance of the GAP-CDH problem. \(C^{\prime }\) selects one party \({\hat{B}}\) (uniformly at random from the set \(\mathcal{P }\)) and sets its long-term public key to \(B\). \(C^{\prime }\) chooses long-term public keys for the remaining parties and stores the associated secret keys. Let us denote the ephemeral public key sent by the origin-session (and received by the test session) by \(Y\).

1. 1.

   Run \(E\) on input \(1^{k}\) and the public keys for all of the \(N\) parties.

2. 2.

   \(\mathsf{send } (s^{*},{\hat{P}})\): If \({\hat{P}}\ne {\hat{B}}\), then \(C^{\prime }\) aborts; otherwise \(C^{\prime }\) sets the ephemeral public key to \(X\) and answers the query with the message \(X\).

3. 3.

   Other \(\mathsf{send } \) queries are answered in the usual way, e. g. if \(E\) issues a \(\mathsf{send } (s,{\hat{P}}, V)\) query to session \(s\), then check whether \(V\in G\). If yes, choose \(w\in _{R} \mathbb Z _{p}\), compute \(W=g^{w}\,(\in G)\) and return \(W\) to E. If no, then abort session \(s\).

4. 4.

   \(\mathsf{ephemeral\text{- }key } (s)\): \(C^{\prime }\) answers in the appropriate way, except if \(s=s^{*}\) in which case \(C^{\prime }\) aborts with failure.

5. 5.

   \(\mathsf{corrupt } ({\hat{P}})\): \(C^{\prime }\) answers in the appropriate way, except if \({\hat{P}}={\hat{B}}\) in which case \(C^{\prime }\) aborts with failure.

6. 6.

   \(\mathsf{test\text{- }session } (s)\): If \(s\ne s^{*}\), then \(C^{\prime }\) aborts; otherwise \(C^{\prime }\) answers the query appropriately.

7. 7.

   Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U,\lambda \right) \in \{0,1\}^{*}\times \{0,1\}^{*}\times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(L\), initially empty. When \(E\) makes a query of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},Z,U\right) \) to the random oracle for \({ KDF}\), answer it as follows:

   • If \(\left\{ {\hat{Q}_{i}},{\hat{Q}_{j}}\right\} =\left\{ {\hat{A}},{\hat{B}}\right\} \), \(U=X\) and \(\text {DDH}(XA,YB,Z)=1\), then \(C^{\prime }\) aborts \(E\) and is successful by outputting \(\text {CDH}(X,B)=ZY^{-a}X^{-y}B^{-a}\) (this computation requires the knowledge of \(a\), therefore we must require that \({\hat{A}}\ne {\hat{B}}\)).

   • Else, proceed as in Step 8 of the simulation related to event \(B_{1}\).

8. 8.

   Store entries of the form \(\left( {\hat{Q}_{i}},{\hat{Q}_{j}},r,U,V,\lambda \right) \in \mathcal{P }\times \{0,1\}^{*}\times \left\{ \mathcal I ,\mathcal R \right\} \times G\times G\times \left\{ 0,1\right\} ^{k}\) in a table \(T\), initially empty, as in the previous simulation related to event \(B_{1}\).

9. 9.

   \(\mathsf{session\text{- }key } (s)\): \(C^{\prime }\) answers this query by look-up in table \(T\).

10. 10.

    \(E\) outputs a guess: \(C^{\prime }\) aborts with failure.

Analysis of event \(B_{2}\)

The probability that \(E\) selects \(s^{*}\) as the test session and \({\hat{B}}\) as the peer for the test session is at least \(\frac{1}{q_{s}N}\). Assume that this is indeed the case. Then \(C^{\prime }\) does not abort as in Step 2 or Step 6. Under event \(B_{2}\) the simulation does not fail as in steps 4, 5. Under event \(Q\), \(C^{\prime }\) is successful as described in the first case of Step 7 and does not abort as in Step 10. \(C^{\prime }\) correctly computes the GAP-CDH instance with probability at least \(\frac{1}{q_{s}N}P(Q)\) which implies that \(P(Q)\le q_{s}N Adv_{C^{\prime }}^{\text {GAP-CDH}}(k)\).

The analyses of events \(B_{3}\) and \(B_{4}\) are similar to the previous analyses. \(\square \)